#openstack-keystone log

15:02:56 <d34dh0r53> #startmeeting keystone
15:02:56 <opendevmeet> Meeting started Wed May  8 15:02:56 2024 UTC and is due to finish in 60 minutes.  The chair is d34dh0r53. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:56 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:56 <opendevmeet> The meeting name has been set to 'keystone'
15:03:58 <d34dh0r53> #topic roll call
15:04:15 <d34dh0r53> admiyo, bbobrov, crisloma, d34dh0r53, dpar, dstanek, hrybacki, knikolla[m], lbragstad, lwanderley, kmalloc, rodrigods, samueldmq, ruan_he, wxy, sonuk, vishakha, Ajay, rafaelwe, xek, gmann, zaitcev, reqa, dmendiza[m], mharley, jph, gtema
15:04:24 <xek> o/
15:04:27 <gtema> o/
15:07:13 <d34dh0r53> o/
15:07:28 <d34dh0r53> #topic review past meeting work items
15:08:13 <d34dh0r53> #link https://meetings.opendev.org/meetings/keystone/2024/keystone.2024-05-01-14.59.html
15:08:21 <d34dh0r53> no updates from me
15:08:48 <d34dh0r53> #action d34dh0r53 Look into adding/restoring a known issues section to our documentation
15:08:58 <d34dh0r53> moving on
15:09:10 <d34dh0r53> #topic liaison updates
15:09:19 <d34dh0r53> nothing from VMT or Releases
15:12:17 <d34dh0r53> next up
15:12:40 <d34dh0r53> #topic specification OAuth 2.0 (hiromu)
15:12:57 <d34dh0r53> #link https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/ividHSpkyyILFlvpvWGNiSaT>)
15:13:21 <d34dh0r53> not sure if hiromu is around
15:14:22 <d34dh0r53> moving on
15:14:37 <d34dh0r53> #topic specification Secure RBAC (dmendiza[m])
15:14:50 <d34dh0r53> #link https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#z-release-timeline_... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/MRXZRGTYcLqxLCnIuKMEUOqq>)
15:15:16 <d34dh0r53> dmendiza: is on PTO this week, so no SRBAC update
15:15:28 <d34dh0r53> next up
15:15:42 <d34dh0r53> #topic specification Improve federated users management (gtema)
15:15:50 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/748748
15:15:50 <d34dh0r53> gtema: clearly against of introducing bad API precedent, desperately waiting for other opinions
15:16:26 <gtema> as stated in etherpad - against of bad api design, but desperately waiting for feedback from others
15:17:08 <gtema> and btw - thinking further (next step) I am actually wondering how external IdP should represent projects and roles
15:18:30 <d34dh0r53> yeah, I'm not sure, I think it would likely be IdP dependent and might make keystones job very difficult
15:19:26 <gtema> right, and I do not want to invent workarounds. On the other side IdP is not really responsible for tracking of provider resources. It just takes care of user/group/role
15:19:44 <gtema> but anyway - now there is a problem that any sort of info must come from IdP
15:20:50 <gtema> today I started thinking about introducing a plugin to keystone that may be invoked to sync some group/project/role data with external system
15:20:57 <gtema> this is just thinking at the moment
15:21:43 <gtema> so imagine user wants to login and pre-auth plugin does the job to manage groups for the user in question (or just syncs data with some external system)
15:22:33 <gtema> there is definitely a performance issue to keep in mind
15:23:24 <gtema> anyway - please please please do review the spec (wrt my comments)
15:23:53 <gtema> any opinions are better then silence, because it stuck
15:24:34 <d34dh0r53> ack, I'll add my thoughts as well
15:24:36 <d34dh0r53> next up
15:25:07 <d34dh0r53> #topic specification OpenAPI support (gtema)
15:25:10 <d34dh0r53> #link https://review.opendev.org/c/openstack/keystone-specs/+/910584
15:25:10 <d34dh0r53> gtema: waiting for reviews
15:25:57 <gtema> yupp, 2 weeks ago dimendiza added comments and stephenfin updated the change (sadly breaking it). But now it passes and following reviews are necessary
15:26:13 <d34dh0r53> Yeah, I read this but forgot to review, I'm all for it
15:26:29 <gtema> awesome, thanks Dave Wilde (d34dh0r53)
15:26:59 <d34dh0r53> np
15:27:18 <d34dh0r53> #topic open discussion
15:27:36 <d34dh0r53> passlib update... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/qZwZoezsFFwXlIPJOhwabZWn>)
15:29:30 <d34dh0r53> no update, the maintainer is missing again, we may have to pin requirements until either we can a) find a maintainer for passlib or b) replace it with something else.  Option a is vastly superior as replacing passlib will be difficult to say the least and might break existing deployments.
15:30:00 <d34dh0r53> several projects rely on passlib and my hope is for a takeover of the maintenance
15:30:10 <gtema> I am really wondering that after all discussion it again got stuck
15:34:45 <d34dh0r53> I just bumped the maintenance thread on passlib
15:34:58 <d34dh0r53> #link https://foss.heptapod.net/python-libs/passlib/-/issues/187
15:34:59 <gtema> cool
15:35:23 <d34dh0r53> next up
15:35:25 <d34dh0r53> domain manager (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/cZdscGyOSLzDuLBOrUwzdJTm>)
15:35:57 <gtema> yupp, here few +1
15:36:32 <d34dh0r53> yeah, I'm good with that, I'll let dmendiza give the final +2
15:36:43 <gtema> awesome, thanks
15:37:00 <d34dh0r53> domain list scoping fix (mhen)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/jUIcjXEcXUXxYElGGWKOpXMR>)
15:38:40 <gtema> I think it does not harm
15:38:53 <gtema> it extends verification
15:39:48 <d34dh0r53> ack
15:39:50 <gtema> ah, but dmendiza wrote this was already adapted recently
15:40:21 <gtema> and still he was not against of that (just asking for rebase)
15:40:21 <d34dh0r53> Yeah, that's the question I have, I'll bug dmendiza about it when he gets back
15:41:40 <d34dh0r53> next up
15:41:42 <d34dh0r53> Enforcing scope in keystone breaks heat (and probably magnum) (tkajinam)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/eoeipWuHhWbAXsurVjJXfmJB>)
15:42:31 <tkajinam> ok the first one got 2nd +2. that's nice
15:42:45 <d34dh0r53> I'm going to merge 914759, I just saw that dmendiza gave it a
15:42:46 <d34dh0r53> +c
15:42:56 <d34dh0r53> keyboard fail +2
15:42:56 <tkajinam> thx. I'll submit backport once these are merged in master.
15:43:12 <d34dh0r53> thank you tkajinam !
15:43:45 <tkajinam> :-)
15:43:51 <d34dh0r53> I'll go through the rest of the reviews after the meeting
15:44:03 <tkajinam> thanks
15:44:05 <d34dh0r53> FYI. Some of the post-release patches are still open (tkajinam)... (full message at <https://matrix.org/_matrix/media/v3/download/matrix.org/FgMfMrBJsuDCSfWaTPwoMYBN>)
15:44:08 <d34dh0r53> ditto for these
15:44:17 <d34dh0r53> anything that needs special attention?
15:44:21 <tkajinam> yeah. I think you already gave your +2 to these.
15:44:38 <tkajinam> because these are automated patches, I'd suggest single core approval rather than leaving these for long
15:44:52 <tkajinam> but it's basically up to the team. I just want to make sure these are in radar of cores
15:45:06 <tkajinam> that's it
15:45:31 <d34dh0r53> no, I owe reviews for these, I'll take care of them today
15:45:32 <d34dh0r53> thanks
15:45:33 <d34dh0r53> moving on
15:45:39 <d34dh0r53> #topic bug review
15:45:54 <d34dh0r53> #link https://bugs.launchpad.net/keystone/?orderby=-id&start=0
15:46:15 <d34dh0r53> no new bugs for keystone
15:46:24 <d34dh0r53> #link https://bugs.launchpad.net/python-keystoneclient/?orderby=-id&start=0
15:46:36 <d34dh0r53> keystoneclient is good
15:46:48 <d34dh0r53> #link https://bugs.launchpad.net/keystoneauth/+bugs?orderby=-id&start=0
15:47:01 <d34dh0r53> no new bugs in keystoneauth
15:47:13 <d34dh0r53> #link https://bugs.launchpad.net/keystonemiddleware/+bugs?orderby=-id&start=0
15:47:26 <d34dh0r53> keystonemiddleware is also good
15:47:36 <d34dh0r53> #link https://bugs.launchpad.net/pycadf/+bugs?orderby=-id&start=0
15:48:00 <d34dh0r53> pycadf is clean
15:48:02 <d34dh0r53> #link https://bugs.launchpad.net/ldappool/+bugs?orderby=-id&start=0
15:48:12 <d34dh0r53> as is ldappool
15:48:19 <d34dh0r53> #topic conclusion
15:48:37 <d34dh0r53> Thanks everyone!
15:49:00 <d34dh0r53> Anyone have anything before we close?
15:49:11 <gtema> nothing from me
15:49:43 <tkajinam> it'd be nice if https://review.opendev.org/c/openstack/keystonemiddleware/+/909322 can be merged soon. we are quite close to get rid of six which has been unnecessary for long.
15:49:48 <tkajinam> that's all from me :-)
15:50:05 <d34dh0r53> indeed
15:51:04 <gtema> I left +2, d34dh0r53 - feel free to +w
15:51:18 <d34dh0r53> done
15:51:36 <tkajinam> thanks, both :-D
15:51:45 <d34dh0r53> Awesome, thanks again all!
15:51:48 <d34dh0r53> #endmeeting